Closed wchristian closed 7 years ago
@ranguard is this part of the Fastly config?
Enable TLS 1.2 in your browser options and it will work
All other options are no longer supported (and you will soon find this on lots of sites - as the older versions will not be PCI compliant soon)
Leo
On 30 Aug 2017, at 15:47, Olaf Alders notifications@github.com wrote:
@ranguard is this part of the Fastly config?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Any chance you could deprecate this gracefully with a warning notice? For a while Opera ASA automatically disabled TLS 1.2 on auto-update (don't remember the reason, probably because it was too early for it to work gracefully). Having TLS 1.0 work with a warning would allow people to notice and fix this.
Also, you might wanna address the other domains as well for consistency: https://observatory.mozilla.org/analyze.html?host=fastapi.metacpan.org#tls
haarg just told me you can choose to use the configuration fastapi has for the main domain still, so a graceful deprecation can be done.
To prevent guesswork of what i mean with graceful deprecation:
I'd be happy to provide a patch that adds a ribbon at the top of the site for Opera users at v12 and below, with the following text. If necessary i'll also add JS to hide it and set a cookie to keep it hidden.
"We're switching off TLS 1.0 and 1.1 on date XYZ, enable TLS 1.2 in your settings by then."
TLS 1.2 is shortly going to become the only option many many sites support. So the issue here is with Opera (which should enable 1.2 by default) and the updates (which should also enable or at least not disable 1.2), not with our site. Please open an issue with them.
Further explanation of why it is not worth our time to do this:
All our traffic goes through Fastly (our CDN) and to make things secure/compliant they are in the process of depreciating anything other than TLS 1.2:
https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan
We have dropped support for anything other than TLS 1.2 for quite a while (I'm trying to get confirmation of when that happened, but I think it was as part of the April change over).
Our plan was if there were lots of complaints we'd do a rollback and build a depreciation screen to display. We had no one complain at this point so did no further work.
There were 167 Opera users identified with the Opera browser in the last 30 days, and I'm assuming some of those are the reskin
so quite happily on TLS1.2.
It would be non-trivial for us to add any messaging: we would have to switch to the Fastly legacy system (their main system will not do SSL for anything other than TLS1.2) and then change Fastly configuration to identify the TLS connection used and serve a instruction page on how to enable TLS 1.2 (we could not just add a banner as we have caching in place which this would not work with) - and for a couple of hundred users that's not worth my time - Sorry.
We have dropped support for anything other than TLS 1.2 for quite a while (I'm trying to get confirmation of when that happened, but I think it was as part of the April change over).
No you did not. This change is very recent. I was browsing metacpan just fine a few days ago on Opera v12.
the issue here is with Opera (which should enable 1.2 by default) and the updates (which should also enable or at least not disable 1.2), not with our site.
Your mention of a reskin implies you know that asking Opera to do anything with Opera v12 is fruitless because they've thrown that code base away, cloned chrome with a custom skin and were bought by a chinese malware company after firing all their browser developers. So i don't understand why you even suggest that.
Also, haarg checked the traffic in greater detail:
17:26 (haarg) Mithaldu: there are a handful of people accessing the site using old opera 17:26 (haarg) 0.066 percent of our traffic
It would be non-trivial for us to add any messaging
You're going about this the wrong way. The way you proposed is indeed onerous. However all you need is a handful of lines of Javascript, which i am happy to provide. I'm fairly sure adding a bit of JS would not affect your caching, right?
There was more discussion about this on IRC and even mst agrees it is reasonable. Please go and have a read of the #metacpan logs.
IRC log on whether something one my end might've changed. Feel free to ask if you have more guesses:
31 14:46 (haarg) Mithaldu: are you certain something didn't change recently on your end?
31 14:46 (Mithaldu) auto updates are disabled
31 14:46 (haarg) the tls configuration we're using shouldn't have changed for a while
31 14:47 (Mithaldu) i'm extremely sure
31 14:47 (Mithaldu) i have tabs open in my opera that i opened on
31 14:48 (Mithaldu) haarg: 2017-08-20
31 14:48 (haarg) that doesn't mean nothing changed on your end
31 14:48 (Mithaldu) i have changed no hardware, software or anything
31 14:48 (Mithaldu) windows hasn't even given me anything beyond defender signature updates
31 14:49 (Mithaldu) also, ui started this opera process on: 12:17:59 20.08.2017
31 14:49 (Mithaldu) as in
31 14:49 (Mithaldu) the browser has not been closed since then
31 14:50 (Mithaldu) there is no feasible way for tls 1.2 having become disabled since then
31 14:50 (Mithaldu) and i don't think there's a method for my isp to force tls 1.0 into the connection?
31 14:50 (Mithaldu) haarg: but, please, if you can think of things that changed other than that, i'm happy to test
31 14:52 (haarg) and you had autoupdate entirely disabled, and didn't click the manual check button?
31 14:52 (haarg) there's basically no way that this changed on metacpan in the last few weeks
31 14:52 (Mithaldu) auto update is set to notify only
31 14:52 (Mithaldu) and i am not aware of a button for it even existing
31 14:53 (Mithaldu) ok, found it in the help menu, triggered it
31 14:54 (Mithaldu) tls 1.2 is still on
31 14:55 (Mithaldu) are there even mechanisms to somehow make a 1.0-only browser talk to a 1.2 server?
31 14:55 (haarg) no
31 14:55 (haarg) aside from a proxy
31 14:55 (haarg) a mitm proxy
31 14:55 (Mithaldu) i use vpn occasionally
31 14:56 (haarg) that wouldn't change anything
31 14:56 (Mithaldu) then i don't have any proxies i'm aware of
31 14:56 (haarg) http://forums.opera.com/discussion/1861721/opera-12-check-for-update-resets-settings-for-tls-1-1-and-1-2/p1 this page shows a manual update check disabling tls 1.2
31 14:57 (haarg) and implies the same could happen for an automatic check, even if it was only to notify
31 14:57 (Mithaldu) i did that above, i can record video of me following these steps
31 15:03 (Mithaldu) haarg: https://youtu.be/qntbdr1nVUo
I'm on holiday and hadn't followed IRC, thanks for the thread.
I have just confirmed with Fastly, the change happened on the 8th of Aug 2017 for metacpan.org (because of which certificate we are on), so confirmed this it our end.
There is a path we could go down for short term (that will end in June 2018) and we can get a VCL variable of which tls version was used so can write configs based on this.
There is no point doing this in Javascript for a few Opera users (we would still have to do certificate changes with Fastly and update our DNS). There would be a point if we get lots of other reports from many different users. IF we get many other reports then I'll consider doing the work.
As a side note, I went through this process at work, with paying customers (I think that's why I was thinking of April) and the only issues reported were a few very old iOS safari users.
Thanks for confirming it's not on my end.
IF we get many other reports then I'll consider doing the work.
Human psychology will not allow this to become a reality, regardless of what the facts of the issue are. We discussed this fact on IRC also, but at this point i don't care to explain this anymore.
I give up.
If someone wants to pay for this work I will do it, but my OS time is limited and there are other things I want to spend it on.
TLS 1.0 has been deprecated for years. TLS 1.2 is almost ten years old.
@wchristian, there's a cost to supporting old/unmaintained/deprecated software and protocols, you didn't give any indication why you thought that cost would be smaller than the cost for you to use a supported/updated browser.
@abh I did not give any indication for thinking the cost of "support the old stuff" is lower because, as indicated by the comments in the issue, i moved my position from "support the old stuff" to "provide graceful deprecation via notices to users".
I'm using Opera v12.18, the last version Opera ASA released before switching to a reskin of chrome and proclaiming that the new Opera, and refusing to do further work on v12.
With that browser the metacpan server currently refuses to do SSL: "Handshake failed because the server does not want to accept the enabled SSL/TLS protocol versions."
The settings i see available for SSL are as follows. Can you please add one of them back to the config?